Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
Junos OS supports two different styles of configuration for switch interfaces: service provider style and enterprise style. The service provider style requires more configuration but provides greater flexibility. The enterprise style is easier to configure but offers less functionality.
With the enterprise style of configuration, logical interfaces are placed into Layer 2 mode by specifying ethernet-switching as the interface family. The ethernet-switching option can only be configured on a single logical unit, unit 0. You cannot bind a VLAN ID to unit 0, because these interfaces operate either in trunk mode, which supports traffic with various VLAN tags, or in access mode, which supports untagged traffic.
Some switching features, such as Q-in-Q tunneling, cannot be configured on logical interface unit 0. Q-in-Q tunneling requires the logical interface to transmit VLAN-tagged frames. To enable a logical interface to receive and forward VLAN-tagged Ethernet frames, you must bind the logical interface to that VLAN. Because the enterprise style does not allow binding of a VLAN ID to unit 0, you must use the service provider style to configure Q-in-Q tunneling.
To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features using the service provider style:
- DHCP snooping (DHCPv4 and DHCPv6)
- Dynamic ARP inspection
- Neighbor discovery inspection
- DHCP option 82
- DHCPv6 option 18 and option 37
- Lightweight DHCPv6 relay agent
You can combine the service provider and enterprise styles of configuration on the same physical interface using flexible Ethernet services encapsulation. With flexible Ethernet services encapsulation, you can configure encapsulations at the logical interface level instead of at the physical interface level. Defining multiple per-unit Ethernet encapsulations makes it easier to customize Ethernet-based services to multiple hosts connected to the same physical interface. For more information, see Flexible Ethernet Services Encapsulation .
EX4300 switches do not support configuration of service provider style and enterprise style on the same physical interface.
Example: DHCP Security and Q-in-Q Tunneling with Service Provider Style Configuration
When configuring a physical interface to support only the service provider style,
configure the extended-vlan-bridge encapsulation type to
support bridging features. You must also configure native VLAN tagging on the
physical interface so that it can operate in trunk mode and transmit Ethernet
frames with VLAN tags for multiple VLANs. Configure flexible VLAN tagging on the
interface to transmit packets with 802.1Q VLAN single-tagged and dual-tagged
frames.
The following example configuration encapsulates physical interface ge-0/0/11 for service provider configuration and defines logical unit 111. VLAN ID v111 is bound to unit 111, and Q-in-Q tunneling is configured on logical interface ge-0/0/11.111. The configuration enables DHCP snooping, dynamic ARP inspection, and DHCP option 82 on VLAN v111.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation extended-vlan-bridge set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical
Example: DHCP Security and Q-in-Q Tunneling with Flexible Ethernet Services Encapsulation
The flexible Ethernet services encapsulation type enables a physical interface to
support both styles of configuration. To support the service provider style,
flexible Ethernet services allows for encapsulations to be configured at the
logical interface level instead of the physical interface. To support the
enterprise style, flexible Ethernet services allows the
ethernet-switching family to be configured on any logical
interface unit number.
The following example configuration encapsulates physical interface ge-0/0/11
with flexible-ethernet-services to support service provider and
enterprise style configurations. Two logical units are defined on the physical
interface: unit 111 for service provider style, and unit 0 for enterprise style.
The vlan-bridge encapsulation enables bridging features on unit
111, and the ethernet-switching family enables bridging
features on unit 0. Q-in-Q tunneling is configured on logical interface
ge-0/0/11.111.
VLAN v111 is bound to unit 111 and has the following DHCP security features:
- DHCP snooping with option 82 and trusted override
- Dynamic ARP inspection
VLAN EP_v222 is bound to unit 0 and has the following DHCP security features:
- DHCP snooping with option 82
- Dynamic ARP inspection
- Neighbor discovery inspection
Interfaces with service provider style configuration are untrusted by default for DHCP. On interfaces with enterprise style configuration, access interfaces are untrusted and trunk interfaces are trusted.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation flexible-ethernet-services set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 encapsulation vlan-bridge set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members EP_V222 set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical set vlans EP_V222 vlan-id 222 set vlans EP_V222 forwarding-options dhcp-security arp-inspection set vlans EP_V222 forwarding-options dhcp-security neighbor-discovery-inspection set vlans EP_V222 forwarding-options dhcp-security option-82 remote-id use-interface-description logical
Example: DHCP Security and Q-in-Q Tunneling with Support for Swap-Push/Pop-Swap
Q-in-Q tunneling and VLAN translation allow service providers to create an L2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link.
Q-in-Q tunneling with L2 swap-push/pop-swap support is a specific scenario in
which the customer VLAN (C-VLAN) tag is swapped with the
inner-vlan-id tag, and the service-provider-defined service
VLAN (S-VLAN) tag is pushed on it (for traffic flowing from customer to service
provider site). This traffic is sent to the service provider network
double-tagged (S-VLAN + C-VLAN). For the traffic flowing from the service
provider network to the customer network, the S-VLAN tag is removed, and the
C-VLAN tag is replaced with the VLAN ID configured on the UNI logical
interface.
The following example shows the swap-push/pop-swap dual tag operations.
- Swap-push—For incoming-single tagged frame from UNI, the C-VLAN (VLAN ID 100) swaps with configured inner-VLAN ID (200) on logical interface and the S-VLAN (VLAN ID 900) pushes on to the frame. The double-tagged frame egresses out of NNI.
- Pop-swap—For incoming double-tagged frame from NNI, the S-VLAN tag pops (VLAN ID 900) from the frame and the logical interface's VLAN ID 100 replaces the C-VLAN tag. The single-tagged frame egresses out of UNI.
To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features:
- DHCP snooping (DHCPv4 and DHCPv6)
- Dynamic ARP inspection
- DHCPv6 source-guard
- Neighbor discovery inspection
- DHCP option 82
- DHCPv6 option 37
set interfaces ge-0/0/1 description UNI set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation flexible-ethernet-services set interfaces ge-0/0/1 unit 100 encapsulation vlan-bridge set interfaces ge-0/0/1 unit 100 vlan-id 100 set interfaces ge-0/0/1 unit 100 input-vlan-map swap-push set interfaces ge-0/0/1 unit 100 input-vlan-map vlan-id 900 set interfaces ge-0/0/1 unit 100 input-vlan-map inner-vlan-id 200 set interfaces ge-0/0/1 unit 100 output-vlan-map pop-swap set interfaces ge-0/0/2 description NNI set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 encapsulation flexible-ethernet-services set interfaces ge-0/0/2 unit 900 encapsulation vlan-bridge set interfaces ge-0/0/2 unit 900 vlan-id 900 set vlans vlan-900 interface ge-0/0/1.100 set vlans vlan-900 interface ge-0/0/2.900 set vlans vlan-900 forwarding-options dhcp-security arp-inspection set vlans vlan-900 forwarding-options dhcp-security ip-source-guard set vlans vlan-900 forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-900 forwarding-options dhcp-security ipv6-source-guard set vlans vlan-900 forwarding-options dhcp-security group trusted overrides trusted set vlans vlan-900 forwarding-options dhcp-security group trusted overrides no-option82 set vlans vlan-900 forwarding-options dhcp-security group trusted overrides no-dhcpv6-options set vlans vlan-900 forwarding-options dhcp-security group trusted interface ge-0/0/2.900
If you configure the logical interface with a VLAN ID list and the input-vlan-map and output-vlan-map is configured as swap-push/pop-swap, it results in undesired behavior as the traffic regressing out of the UNI has a logical unit number instead of the original customer VLAN ID from VLAN ID list configured.